This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Spam - any tips?

We seem to be under a spam attack with a malicious html attachment. I've blocked html, htm etc as a last resort.

The emails have gone straight through our UTM spam filter and are coming from outbound.protection.outlook.com with numerous IP's etc

Anybody got any tips on how to block?



This thread was automatically locked due to age.
  • Most span use "open" mail server to send email.

    I assume the use of outlook.com is not with a domain that is registered in the same location in 365. (each domain has its own cname)

    Try to add "strict dns" check in the smtp policy.

    This will reduce the spam and also will avoid mail sent from organizations that did not config their mail server properly.

  • The rDNS is xxx.outbound.protection.outlook.com where xxx is the client name.

    Strick DNS is already enabled and it went straight through that. It's coming from multiple M$ mail servers!

  • Any chance to block these mails by Extra-RBL? Tell abuse@outlook.com what’s going on, maybe they care about.

    Best regards

    Alex

    -

  • The UTM is now blocking and registering them as Malware/Phish.

    Still hitting us every 10 minutes or so constantly and all coming from Microsofts servers.

    You would think that they would know what's going on by scanning outgoing content....

  • Louis sent me the headers of one of these emails.  There's nothing there to find as the emails are coming from valid Outlook accounts.  My guess would be infected user workstations as opposed to phished credentials.

    In this case, the best thing would be to submit a report to abuse@microsoft.com for any such email.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • They are starting to turn up on blacklists but it makes you wonder what Microsoft are doing ie do they stop mail being sent through the offending IP altogether.

    Is that IP ever recycled eg used to send email from again.

    On top of that, you would still think Microsoft would scan mail outgoing??

  • I'd be surprised if the IPs would be on an RBL, Louis.  What was the reason that the SMTP log gave for blocking one of those emails?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • I checked the IP via mxtoolbox and some of them eventually went onto blacklists although not all did.

    Others were eventually detected as Malware/Phish

    And some got through and continue to get through.